Merge #716: Add Musig2 module

c6fc3d7 run cargo fmt (Andrew Poelstra)
2f0f9d8  Add Musig2 example file (jlest01)
dd26c30 Add Musig2 module (jlest01)
e90015e Add function to sort public keys (jlest01)
f384a2d Add Rust FFI for Musig2 module (jlest01)
a21d6ca Enable musig module in the `secp256k1-sys/build.rs` (jlest01)

Pull request description:

  This PR adds a `musig` module based on bitcoin-core/secp256k1#1479.
  The structure is based on sanket1729's BlockstreamResearch/rust-secp256k1-zkp#48, but I removed the code related to adaptor signatures.

  There is an example file in `examples/musig.rs` and can be run with `cargo run --example musig --features "rand std"`.
  The `ffi` functions were added to `secp256k1-sys/src/lib.rs` and the API level functions to the new `src/musig.rs` file.

ACKs for top commit:
  apoelstra:
    ACK c6fc3d7; successfully ran local tests

Tree-SHA512: ea4cf0add66976604a01f7e2b44a2e4f82c3ff4a48edcb214ff8e2dc7c04992e7d5ae9e68a8f93ee21b8d478b96786083a335b46eefe4aa1af5e7c62421d1330

Author: apoelstra

Cargo.toml

@@ -66,6 +66,10 @@ required-features = ["hashes", "std"]
 name = "generate_keys"
 required-features = ["rand", "std"]
 
+[[example]]
+name = "musig"
+required-features = ["rand", "std"]
+
 [workspace]
 members = ["secp256k1-sys"]
 exclude = ["no_std_test"]

examples/musig.rs

@@ -0,0 +1,101 @@
+extern crate secp256k1;
+
+use secp256k1::musig::{
+    new_nonce_pair, AggregatedNonce, KeyAggCache, PartialSignature, PublicNonce, Session,
+    SessionSecretRand,
+};
+use secp256k1::{pubkey_sort, Keypair, Message, PublicKey, Scalar, Secp256k1, SecretKey};
+
+fn main() {
+    let secp = Secp256k1::new();
+    let mut rng = rand::thread_rng();
+
+    let (seckey1, pubkey1) = secp.generate_keypair(&mut rng);
+
+    let seckey2 = SecretKey::new(&mut rng);
+    let pubkey2 = PublicKey::from_secret_key(&secp, &seckey2);
+
+    let pubkeys = [pubkey1, pubkey2];
+    let mut pubkeys_ref: Vec<&PublicKey> = pubkeys.iter().collect();
+    let pubkeys_ref = pubkeys_ref.as_mut_slice();
+
+    pubkey_sort(&secp, pubkeys_ref);
+
+    let mut musig_key_agg_cache = KeyAggCache::new(&secp, pubkeys_ref);
+
+    let plain_tweak: [u8; 32] = *b"this could be a BIP32 tweak....\0";
+    let xonly_tweak: [u8; 32] = *b"this could be a Taproot tweak..\0";
+
+    let plain_tweak = Scalar::from_be_bytes(plain_tweak).unwrap();
+    musig_key_agg_cache.pubkey_ec_tweak_add(&secp, &plain_tweak).unwrap();
+
+    let xonly_tweak = Scalar::from_be_bytes(xonly_tweak).unwrap();
+    let tweaked_agg_pk = musig_key_agg_cache.pubkey_xonly_tweak_add(&secp, &xonly_tweak).unwrap();
+
+    let agg_pk = musig_key_agg_cache.agg_pk();
+
+    assert_eq!(agg_pk, tweaked_agg_pk.x_only_public_key().0);
+
+    let msg_bytes: [u8; 32] = *b"this_could_be_the_hash_of_a_msg!";
+    let msg = Message::from_digest_slice(&msg_bytes).unwrap();
+
+    let musig_session_sec_rand1 = SessionSecretRand::from_rng(&mut rng);
+
+    let nonce_pair1 = new_nonce_pair(
+        &secp,
+        musig_session_sec_rand1,
+        Some(&musig_key_agg_cache),
+        Some(seckey1),
+        pubkey1,
+        Some(msg),
+        None,
+    );
+
+    let musig_session_sec_rand2 = SessionSecretRand::from_rng(&mut rng);
+
+    let nonce_pair2 = new_nonce_pair(
+        &secp,
+        musig_session_sec_rand2,
+        Some(&musig_key_agg_cache),
+        Some(seckey2),
+        pubkey2,
+        Some(msg),
+        None,
+    );
+
+    let sec_nonce1 = nonce_pair1.0;
+    let pub_nonce1 = nonce_pair1.1;
+
+    let sec_nonce2 = nonce_pair2.0;
+    let pub_nonce2 = nonce_pair2.1;
+
+    let nonces = [pub_nonce1, pub_nonce2];
+    let nonces_ref: Vec<&PublicNonce> = nonces.iter().collect();
+    let nonces_ref = nonces_ref.as_slice();
+
+    let agg_nonce = AggregatedNonce::new(&secp, nonces_ref);
+
+    let session = Session::new(&secp, &musig_key_agg_cache, agg_nonce, msg);
+
+    let keypair1 = Keypair::from_secret_key(&secp, &seckey1);
+    let partial_sign1 = session.partial_sign(&secp, sec_nonce1, &keypair1, &musig_key_agg_cache);
+
+    let keypair2 = Keypair::from_secret_key(&secp, &seckey2);
+    let partial_sign2 = session.partial_sign(&secp, sec_nonce2, &keypair2, &musig_key_agg_cache);
+
+    let is_partial_signature_valid =
+        session.partial_verify(&secp, &musig_key_agg_cache, partial_sign1, pub_nonce1, pubkey1);
+    assert!(is_partial_signature_valid);
+
+    let is_partial_signature_valid =
+        session.partial_verify(&secp, &musig_key_agg_cache, partial_sign2, pub_nonce2, pubkey2);
+    assert!(is_partial_signature_valid);
+
+    let partial_sigs = [partial_sign1, partial_sign2];
+    let partial_sigs_ref: Vec<&PartialSignature> = partial_sigs.iter().collect();
+    let partial_sigs_ref = partial_sigs_ref.as_slice();
+
+    let aggregated_signature = session.partial_sig_agg(partial_sigs_ref);
+
+    assert!(aggregated_signature.verify(&secp, &agg_pk, &msg_bytes).is_ok());
+}

secp256k1-sys/build.rs

@@ -26,6 +26,7 @@ fn main() {
                .define("ENABLE_MODULE_SCHNORRSIG", Some("1"))
                .define("ENABLE_MODULE_EXTRAKEYS", Some("1"))
                .define("ENABLE_MODULE_ELLSWIFT", Some("1"))
+               .define("ENABLE_MODULE_MUSIG", Some("1"))
                // upstream sometimes introduces calls to printf, which we cannot compile
                // with WASM due to its lack of libc. printf is never necessary and we can
                // just #define it away.

secp256k1-sys/src/lib.rs

@@ -672,6 +672,147 @@ extern "C" {
                                   hashfp: EllswiftEcdhHashFn,
                                   data: *mut c_void)
                                   -> c_int;
+
+    #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_11_musig_pubnonce_parse")]
+    pub fn secp256k1_musig_pubnonce_parse(
+        cx: *const Context,
+        nonce: *mut MusigPubNonce,
+        in66: *const c_uchar,
+    ) -> c_int;
+
+    #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_11_musig_pubnonce_serialize")]
+    pub fn secp256k1_musig_pubnonce_serialize(
+        cx: *const Context,
+        out66: *mut c_uchar,
+        nonce: *const MusigPubNonce,
+    ) -> c_int;
+
+    #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_11_musig_aggnonce_parse")]
+    pub fn secp256k1_musig_aggnonce_parse(
+        cx: *const Context,
+        nonce: *mut MusigAggNonce,
+        in66: *const c_uchar,
+    ) -> c_int;
+
+    #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_11_musig_aggnonce_serialize")]
+    pub fn secp256k1_musig_aggnonce_serialize(
+        cx: *const Context,
+        out66: *mut c_uchar,
+        nonce: *const MusigAggNonce,
+    ) -> c_int;
+
+    #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_11_musig_partial_sig_parse")]
+    pub fn secp256k1_musig_partial_sig_parse(
+        cx: *const Context,
+        sig: *mut MusigPartialSignature,
+        in32: *const c_uchar,
+    ) -> c_int;
+
+    #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_11_musig_partial_sig_serialize")]
+    pub fn secp256k1_musig_partial_sig_serialize(
+        cx: *const Context,
+        out32: *mut c_uchar,
+        sig: *const MusigPartialSignature,
+    ) -> c_int;
+
+    #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_11_musig_pubkey_agg")]
+    pub fn secp256k1_musig_pubkey_agg(
+        cx: *const Context,
+        agg_pk: *mut XOnlyPublicKey,
+        keyagg_cache: *mut MusigKeyAggCache,
+        pubkeys: *const *const PublicKey,
+        n_pubkeys: size_t,
+    ) -> c_int;
+
+    #[cfg_attr(not(rust_secp_no_symbol_renaming),link_name = "rustsecp256k1_v0_11_musig_pubkey_get")]
+    pub fn secp256k1_musig_pubkey_get(
+        cx: *const Context,
+        agg_pk: *mut PublicKey,
+        keyagg_cache: *const MusigKeyAggCache,
+    ) -> c_int;
+
+    #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_11_musig_pubkey_ec_tweak_add")]
+    pub fn secp256k1_musig_pubkey_ec_tweak_add(
+        cx: *const Context,
+        output_pubkey: *mut PublicKey,
+        keyagg_cache: *mut MusigKeyAggCache,
+        tweak32: *const c_uchar,
+    ) -> c_int;
+
+    #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_11_musig_pubkey_xonly_tweak_add")]
+    pub fn secp256k1_musig_pubkey_xonly_tweak_add(
+        cx: *const Context,
+        output_pubkey: *mut PublicKey,
+        keyagg_cache: *mut MusigKeyAggCache,
+        tweak32: *const c_uchar,
+    ) -> c_int;
+
+    #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_11_musig_nonce_gen")]
+    pub fn secp256k1_musig_nonce_gen(
+        cx: *const Context,
+        secnonce: *mut MusigSecNonce,
+        pubnonce: *mut MusigPubNonce,
+        session_secrand32: *const c_uchar,
+        seckey: *const c_uchar,
+        pubkey: *const PublicKey,
+        msg32: *const c_uchar,
+        keyagg_cache: *const MusigKeyAggCache,
+        extra_input32: *const c_uchar,
+    ) -> c_int;
+
+    #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_11_musig_nonce_agg")]
+    pub fn secp256k1_musig_nonce_agg(
+        cx: *const Context,
+        aggnonce: *mut MusigAggNonce,
+        pubnonces: *const *const MusigPubNonce,
+        n_pubnonces: size_t,
+    ) -> c_int;
+
+
+    #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_11_musig_nonce_process")]
+    pub fn secp256k1_musig_nonce_process(
+        cx: *const Context,
+        session: *mut MusigSession,
+        aggnonce: *const MusigAggNonce,
+        msg32: *const c_uchar,
+        keyagg_cache: *const MusigKeyAggCache,
+    ) -> c_int;
+
+    #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_11_musig_partial_sign")]
+    pub fn secp256k1_musig_partial_sign(
+        cx: *const Context,
+        partial_sig: *mut MusigPartialSignature,
+        secnonce: *mut MusigSecNonce,
+        keypair: *const Keypair,
+        keyagg_cache: *const MusigKeyAggCache,
+        session: *const MusigSession,
+    ) -> c_int;
+
+    #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_11_musig_partial_sig_verify")]
+    pub fn secp256k1_musig_partial_sig_verify(
+        cx: *const Context,
+        partial_sig: *const MusigPartialSignature,
+        pubnonce: *const MusigPubNonce,
+        pubkey: *const PublicKey,
+        keyagg_cache: *const MusigKeyAggCache,
+        session: *const MusigSession,
+    ) -> c_int;
+
+    #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_11_musig_partial_sig_agg")]
+    pub fn secp256k1_musig_partial_sig_agg(
+        cx: *const Context,
+        sig64: *mut c_uchar,
+        session: *const MusigSession,
+        partial_sigs: *const *const MusigPartialSignature,
+        n_sigs: size_t,
+    ) -> c_int;
+
+    #[cfg_attr(not(rust_secp_no_symbol_renaming), link_name = "rustsecp256k1_v0_11_ec_pubkey_sort")]
+    pub fn secp256k1_ec_pubkey_sort(
+        ctx: *const Context,
+        pubkeys: *mut *const PublicKey,
+        n_pubkeys: size_t
+    ) -> c_int;
 }
 
 #[cfg(not(secp256k1_fuzz))]
@@ -1097,6 +1238,94 @@ impl <T: CPtr> CPtr for Option<T> {
         }
     }
 }
+/// Total length (in bytes) of the key aggregation context.
+/// This structure packs all metadata needed for aggregating individual public keys
+/// into a single MuSig2 aggregated key (including coefficients and any extra metadata).
+pub const MUSIG_KEYAGG_LEN: usize = 197;
+
+/// Length (in bytes) of the secret nonce structure used in a MuSig2 session.
+/// It holds the secret (ephemeral) nonces used internally for nonce derivation
+/// before the corresponding public nonces are computed.
+pub const MUSIG_SECNONCE_LEN: usize = 132;
+
+/// Length (in bytes) of the public nonce structure.
+/// This is derived from the secret nonce and shared among participants to build
+/// nonce commitments in the MuSig2 protocol.
+pub const MUSIG_PUBNONCE_LEN: usize = 132;
+
+/// Length (in bytes) of the aggregated nonce structure.
+/// Represents the combined nonce obtained by aggregating the individual public nonces
+/// from all participants for the final signature computation.
+pub const MUSIG_AGGNONCE_LEN: usize = 132;
+
+/// Serialized length (in bytes) of the aggregated nonce.
+/// This is the compact form (typically using a compressed representation) used for
+/// transmitting or storing the aggregated nonce.
+pub const MUSIG_AGGNONCE_SERIALIZED_LEN: usize = 66;
+
+/// Serialized length (in bytes) of an individual public nonce.
+/// This compact serialized form is what gets exchanged between signers.
+pub const MUSIG_PUBNONCE_SERIALIZED_LEN: usize = 66;
+
+/// Length (in bytes) of the session structure.
+/// The session object holds all state needed for a MuSig2 signing session (e.g. aggregated nonce,
+/// key aggregation info, and other state necessary for computing partial signatures).
+pub const MUSIG_SESSION_LEN: usize = 133;
+
+/// Length (in bytes) of the internal representation of a partial signature.
+/// This structure include magic bytes ([0xeb, 0xfb, 0x1a, 0x32]) alongside the actual signature scalar.
+pub const MUSIG_PART_SIG_LEN: usize = 36;
+
+/// Serialized length (in bytes) of a partial signature.
+/// This is the compact form (typically just the 32-byte scalar) that is used when communicating
+/// partial signatures to be combined into the final signature.
+pub const MUSIG_PART_SIG_SERIALIZED_LEN: usize = 32;
+
+#[repr(C)]
+#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Hash)]
+pub struct MusigKeyAggCache([c_uchar; MUSIG_KEYAGG_LEN]);
+impl_array_newtype!(MusigKeyAggCache, c_uchar, MUSIG_KEYAGG_LEN);
+impl_raw_debug!(MusigKeyAggCache);
+
+#[repr(C)]
+#[derive(Copy, Clone, PartialEq, Eq)]
+pub struct MusigSecNonce([c_uchar; MUSIG_SECNONCE_LEN]);
+impl_array_newtype!(MusigSecNonce, c_uchar, MUSIG_SECNONCE_LEN);
+impl_raw_debug!(MusigSecNonce);
+
+impl MusigSecNonce {
+    pub fn dangerous_from_bytes(bytes: [c_uchar; MUSIG_SECNONCE_LEN]) -> Self {
+        MusigSecNonce(bytes)
+    }
+
+    pub fn dangerous_into_bytes(self) -> [c_uchar; MUSIG_SECNONCE_LEN] {
+        self.0
+    }
+}
+
+#[repr(C)]
+#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Hash)]
+pub struct MusigPubNonce([c_uchar; MUSIG_PUBNONCE_LEN]);
+impl_array_newtype!(MusigPubNonce, c_uchar, MUSIG_PUBNONCE_LEN);
+impl_raw_debug!(MusigPubNonce);
+
+#[repr(C)]
+#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Hash)]
+pub struct MusigAggNonce([c_uchar; MUSIG_AGGNONCE_LEN]);
+impl_array_newtype!(MusigAggNonce, c_uchar, MUSIG_AGGNONCE_LEN);
+impl_raw_debug!(MusigAggNonce);
+
+#[repr(C)]
+#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Hash)]
+pub struct MusigSession([c_uchar; MUSIG_SESSION_LEN]);
+impl_array_newtype!(MusigSession, c_uchar, MUSIG_SESSION_LEN);
+impl_raw_debug!(MusigSession);
+
+#[repr(C)]
+#[derive(Copy, Clone, PartialEq, Eq, PartialOrd, Ord, Hash)]
+pub struct MusigPartialSignature([c_uchar; MUSIG_PART_SIG_LEN]);
+impl_array_newtype!(MusigPartialSignature, c_uchar, MUSIG_PART_SIG_LEN);
+impl_raw_debug!(MusigPartialSignature);
 
 #[cfg(secp256k1_fuzz)]
 mod fuzz_dummy {